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REMARKS 

This application has been carefully considered in connection with the Final Office 
Action dated April 7, 2008. Reconsideration and allowance are respectfully requested 
in view of the following. 

Summary of Rejections 

Claims 1-33 were pending at the time of the Final Office Action. 
Claims 1-33 were rejected under 35 USC § 103. 
Summary of Response 

Claims 1,9, 1 1, 23, 28 and 31 are currently amended herein. 
Claims 3 and 10 were previously presented. 

Claims 2, 4-8, 12-22, 24-27, 29-30 and 32-33 remain as originally submitted. 
Remarks and Arguments are provided below. 

Summary of Claims Pending 

Claims 1-33 are currently pending following this response. 

Response to Rejections 

Upton, Beck, O'Donnell and Bhat, alone or in combination, do not disclose, teach 
or suggest a client application on a first operating system obtaining a token containing 
user credentials encoded as a platform and application independent string data type and 
providing the token to a server application on a second operating system to use services 
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of the server application, as claimed. Making the token a string data type makes it 
platform and application independent because the token has no header and, therefore, 
no application-specific header configuration. This feature of the claimed token eliminates 
the need to convert security information from the format of one platform to the format of 
another. 

The system of the pending application includes a security application program 
interface, an authentication authority, a store maintaining data, an application program 
interface, and a server application. The security application program interface and 
application program interface are coupled to a client application on a first operating 
system. The security application program interface provides a security credential. The 
authentication authority receives the security credential from the security application 
program interface and, if the security credential is valid, the authentication authority 
generates a token and communicates the token to the security application program 
interface. The store maintaining the data, which is in communication with the 
authentication authority, validates the security credential. The application program 
interface is coupled to the client application and can communicate regarding the token. 
The server application is on a second operating system and receives the token from the 
application program interface and communicates with the authentication authority to 
validate the token to enable the client application to use services of the server application. 
This approach to providing application-to-application enterprise security permits the 
communication of security information in a heterogeneous computing environment using 
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a token containing user credentials encoded as a platform and application independent 
string data type. 

With regard to the art rejections, the Final Office Action has rejected the pending 
claims citing Upton in view of Beck and further in view of O'Donnell. The Final Office 
Action has also rejected the pending claims citing Upton in view of Beck and further in 
view of Bhat. Upton relates to systems and methods for integration adapter security. 
Beck relates to methods and apparatus for providing anonymity to end users in web 
transactions. O'Donnell relates to methods and apparatus for securely granting access 
rights to unattended software. Bhat relates to systems and methods for sign-on to 
Web-based applications. Upton, Beck, O'Donnell and Bhat do not disclose, teach or 
suggest using a token containing user credentials encoded as a platform and 
application independent string data type, or using a security application program 
interface and an application program interface coupled to a client application on a first 
operating system, and a server application on a second operating system to receive the 
token from the application program interface and communicate with an authentication 
authority to validate the token, as claimed. Notably, the tokens found in the pending 
disclosure permit the authentication of users in a heterogeneous computing 
environment. In contrast, the computing environments in Upton, Beck, O'Donnell and 
Bhat require a homogeneous computing environment. 

These distinctions, as well as others, will be discussed in greater detail in the 
analysis of the present claims that follows. 
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Response to Rejections under Section 103 
Claim 1: 

Claim 1 was rejected under 35 USC § 103(a) as being unpatentable over Upton, 
U.S. Patent Application Publication No. 2003/0097574 (hereinafter, "Upton") in view of 
Beck et al., U.S. Patent Application Publication No. 2004/0088349 (hereinafter, "Beck") 
and further in view of O'Donnell et al., U.S. Patent Application Publication No. 
2004/0117615 (hereinafter, "O'Donnell"). 

Claim 1 was also rejected under 35 USC §1 03(a) as being unpatentable over 
Upton in view of Beck and further in view of Bhat et al., U.S. Patent Application 
Publication No. 2003/0200465 (hereinafter, "Bhat"). These rejections are respectfully 
traversed. 

I. Upton, Beck, O'Donnell and Bhat do not disclose, teach or suggest a security 
application program interface and an application program interface coupled to a client 
application on a first operating system, and a server application on a second operating 
system to receive the token from the application program interface, the server 
a pplication communicating with the authentication authority to validate the token. 

Claim 1 (as currently amended) recites, in part, "a security application program 
interface and an application program interface coupled to a client application on a first 
operating system, ...and a server application on a second operating system to receive 
the token from the application program interface, the server application communicating 
with the authentication authority to validate the token..." 

The Final Office Action did not address these elements of claim 1, which were 
provided partly by amendment in this response. Nevertheless, Applicants assert that 
Upton, Beck, O'Donnell and Bhat do not disclose, teach or suggest the "security 
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application program interface and an application program interface coupled to a client 
application on a first operating system, ...and a server application on a second 
operating system to receive the token from the application program interface, the server 
application communicating with the authentication authority to validate the token," as 
recited in claim 1 . 

For example, the primary art cited, Upton, discloses in paragraph [0127], lines 1- 
7 and 18-30: 

FIG. 3 shows an example of a security architecture that can 
be used with systems and methods in accordance with 
embodiments of the invention. As shown therein, clients 
302, 304 (which may be either physical hardware clients or 
software applications) may attempt to access a secured 
service or resource 306, such as a persistent directory 
server, via a transaction or application server 308. ...In any 
case, the connection attempt is received by the transaction 
server, often via an initial connection filter 320, and is 
passed to the security service 322. In accordance with the 
invention, the security service 322 is the focal point for 
security determination, including client and user level 
resource access, authorization, certification, privilege 
assessment and entitlement determination. Enterprise Java 
Beans (EJB's) 324, Web applications (WebApp's) 326, and 
other forms of applications may all use the security service 
through the use of containers. The security service handles 
calls from these containers to the protected resource, which 
in the case of FIG. 2 [sic]. 



Upton also discloses in paragraph [0128], lines 1-10 and 12-18: 

FIG. 4 illustrates an embodiment of the security service 
architecture 400 in greater detail. The security service 
augments the basic security services and features provided 
by the standard Java2 Enterprise Edition security set. As 
shown in this example, the basic java security set 402 
includes security provider interfaces [SPI's] 404 for key 
storage, authentication, certificate validation, and secure 
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sockets, among others. Customer applications 406 may be 
written to directly take advantage of the Java security layer 
and these SPI's. ...In accordance with the invention, 
customer applications are deployed in containers, for 
example, an EJB container 408 of a WebApp container 410. 
The containers communicate directly with the security 
service 414 (herein the same as security service 322), which 
in turn communicates with the Java security layer 402 and 
its security SPI's 404. 

As shown above and in Figures 3 and 4, Upton teaches the use of a security 
service, customer applications and a Java security set including security provider 
interfaces (SPI's) on an application server. Clients connect to the security service via a 
transaction server. The security service communicates with a secured server via a 
directory service. As such, Upton teaches the use of one server (and an associated 
operating system) for the security service and the SPI's and customer applications, a 
different server (and another operating system) for the secured resources, and still 
different operating systems associated with each of the clients disclosed. 
Consequently, Upton does not disclose, teach or suggest "a security application 
program interface and an application program interface coupled to a client application 
on a first operating system, ...and a server application on a second operating system to 
receive the token from the application program interface, the server application 
communicating with the authentication authority to validate the token," as recited in 
claim 1 . 

Additionally, none of the secondary art cited, Beck, O'Donnell and Bhat, 
discloses, teaches or suggests "a security application program interface and an 
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application program interface coupled to a client application on a first operating system, 
...and a server application on a second operating system to receive the token from the 
application program interface, the server application communicating with the 
authentication authority to validate the token," as recited in claim 1. 

For at least the reasons established above in section I, Applicants respectfully 
submit that independent claim 1 is not disclosed, taught or suggested by Upton in view 
of Beck and further in view of O'Donnell or Bhat. Accordingly, Applicants respectfully 
submit that claim 1 is patentable over Upton, Beck, O'Donnell and Bhat and respectfully 
request allowance of this claim. 

II. Upton. Beck. O'Donnell and Bhat do not disclose, teach or suggest wherein the 
token contains user credentials encoded as a platform and application independent 
string data type. 



Claim 1 (as currently amended) also recites, in part, "wherein the token contains 
user credentials encoded as a platform and application independent string data type..." 
With respect to claim 1 , the Final Office Action states, in pertinent part: 

Regarding claim 1, Upton discloses a system to 
provide application-to-application enterprise security, the 
system comprising: 

...an authentication authority (Par [0115], [0128]- 
[0130], [0145]-[0147]; security services; authentication/ 
authorization SPI) receiving the security credential from the 
security application program interface, the authentication 
authority further operable to communicate the token to the 
security application program interface where the security 
credential is valid, wherein the token contains user 
credentials encoded as a platform and application 
independent primitive data type (Fig 4; Par [0104], [0114], 
[0130], [0150]; Claims 1,12; service provider interface/SPI; 
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checking public/password type, or generic/token type 
credentials). 

Final Office Action dated April 7, 2008, Pages 3 and 4. 

Contrary to the assertions made in the Final Office Action, Upton does not 

disclose, teach or suggest "wherein the token contains user credentials encoded as a 

platform and application independent string data type," as recited in (currently 

amended) claim 1. Specifically, the Final Office Action relied on the following 

disclosure in Upton to read on this element of claim 1 : 

[01 50] A Principal-^Credential Mapping (JAAS Login- 
Module) SPI can be based on the JAAS Login Module, and 
can be used to map principal identity when cross security 
domain policy or technology boundaries. The 
responsibilities of the Principal Mapping SPI is based on the 
Subject provided, and can be used to add public credentials 
with appropriate information to subject, such as password 
credentials for username/password, and generic credential 
for token-type credentials . (Underlining added for emphasis.) 



The disclosure in Upton of "generic credential for token-type credentials" is not 
the token recited in claim 1 . For example, the American Heritage® Dictionary of the 
English Language, Fourth Edition, defines the term "generic" as "Relating to or 
descriptive of an entire group or class; general." Clearly, a generic credential (for 
token-type credentials) relating to or descriptive of an entire group or class does not 
teach or suggest "wherein the token contains user credentials encoded as a platform 
and application independent string data type," as claimed. 



51561.02/4000.15700 



Attorney Docket No: IDF 2564 (4000-15700) 



Patent 



The Final Office action also relied on the following disclosure in Upton to read on 

the same element of claim 1 : 

[01 04] For many systems, it may be desirable to include 
support for the Java 2 Enterprise Edition (J2EE) 
specification and interoperability therewith. These J2EE 
specification features include the Common Secure 
Interoperability (CSI) protocol, user identity tokens , the 
Stateless Authentication Service (SAS) protocol, support for 
propagation of security credentials across machine, cluster, 
and/or domain boundaries, control of propagation of identity 
based on policy, enhanced support for virtual host/sites, the 
ability to generate a user identity scoped to domain, and 
host/site specific security policies. (Underlining added for 
emphasis.) 



As shown in the above-cited paragraph, Upton teaches the use of "user identity 
tokens" and does not teach or suggest "wherein the token contains user credentials 
encoded as a platform and application independent string data type," as recited in claim 
1. 

Beck teaches the use of a temporary user ID token. However, Beck discloses in 
paragraph [0020], lines 1-7, "As described above, each time the end-user's browser 
104 makes a request to any web site with which ISP 102 has an established 
relationship, that request is modified by the inclusion of an HTTP header containing a 
temporary user ID token . That token enables the end-user to maintain his anonymity to 
such Web site by using the trustworthy ISP as his agent in the transaction." (Underlining 
added for emphasis.) 

Beck also discloses in paragraph [0021], lines 1-9, "In a second embodiment of 
the invention, HTTP cookies rather than HTTP headers are used as the mechanism to 
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transport a temporary user ID token (and possibly other information) to third-party 
applications running on a Web server. ...A cookie is introduced to the client by 
including a Set-Cookie header as part of an HTTP response." 

Beck further discloses in paragraph [0022], lines 18-23 and 29-32, "A service 
module 206 within intermediary 108 then modifies the response to include a Set-Cookie 
header. That header includes a temporary random or pseudo-random user ID token 
that is generated by the service module 206 and is assigned to the end-user until the 
cookie's expiration date. ...Intermediary 108 then forwards the modified response 
containing the Set-Cookie header with its associated temporary user ID token and 
additional information to the end-user's Web browser 104." (Underlining added for 
emphasis.) 

As shown in the above-cited paragraphs, Beck teaches the use of associating a 
header with its temporary user ID token. In contrast to Beck's teachings of a temporary 
user ID token, the specification of the pending application states in paragraph [0028], 
lines 1-3 and 5-7, "Rather than security information being converted from the format of 
one platform to the format of another, security information is passed between 
applications in the form of a token with a string data type . ...Making the token a string 
makes it platform and technology independent because the token has no header and 
therefore no application-specific header configuration." (Underlining added for 
emphasis.) 

In other words, as shown above, Beck teaches the use of temporary user ID 
tokens associated with HTTP headers or Cookie headers. Consequently, as discussed 
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directly above, Beck does not teach or suggest "wherein the token contains user 
credentials encoded as a platform and application independent string data type," as 
recited in claim 1 . 

O'Donnell teaches the use of a user validation token. However, this user 
validation token is not the token recited in claim 1. Specifically, O'Donnell discloses in 
paragraph [0063], lines 1-8, "Referring to FIG. 2C, a validation token is also issued 240 
in association with the proxy account. The validation token can be any unique identifier 
corresponding to the created proxy account. In one embodiment, the validation token 
comprises a random code with an appended identifier particular to the created proxy 
account . There are numerous alternatives for the validation token, including those that 
are merely the proxy account identifier." (Underlining added for emphasis.) 

O'Donnell also discloses in paragraph [0071], lines 1-5, "The access site 
receives and verifies appropriate credentials corresponding to the proxy account, and 
then sends 328 a user validation token to the authorized user. Like the account 
validation token, the user validation token can be any kind of unique code, number or 
the like." 

As shown above, O'Donnell teaches the use of a validation token with an 
appended identifier particular to the created proxy account. Consequently, this 
validation token is not a token containing "user credentials encoded as a platform and 
application independent string data type," as recited in claim 1. 

Bhat teaches the use of a Single Sign On (SSO) token that provides a listener 
mechanism for applications that need notification when the SSO token expires. Bhat 
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does not disclose, teach or suggest "wherein the token contains user credentials 
encoded as a platform and application independent string data type," as recited in claim 
1. Therefore, for at least the above-described reasons, claim 1 is not unpatentable over 
Upton, Beck, O'Donnell and Bhat and should be allowed. 

Claims depending from Claim 1: 

Claims 2-3 were rejected under 35 USC § 103(a) as being unpatentable over 
Upton in view of Beck. 

Claim 8 was rejected under 35 USC § 103(a) as being unpatentable over Upton 
in view of Beck and further in view of O'Donnell and Laferriere et al., U.S. Patent 
Application Publication No. 2005/0188212 (hereinafter, "Laferriere"). 

Claims 2-7 were rejected under 35 USC § 103(a) as being unpatentable over 
Upton in view of Beck and further in view of Bhat. 

Dependent claims 2-8 depend directly or indirectly from independent claim 1 and 
incorporate all of the limitations thereof. Accordingly, for at least the reasons 
established in sections I and II above, Applicants respectfully submit that claims 2-8 are 
not taught or suggested by Upton in view of Beck, and O'Donnell, Laferriere and Bhat, 
alone or in combination, do not cure the deficiencies of Upton and Beck. Therefore, 
Applicants respectfully request allowance of these claims. 

Claim 9: 

j 
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Claim 9 was rejected under 35 USC § 103(a) as being unpatentable over Upton 
in view of Beck and further in view of O'Donnell. This rejection is respectfully traversed. 

Claim 9 was also rejected under 35 USC § 103(a) as being unpatentable over 
Upton in view of Beck and further in view of Bhat. This rejection is also respectfully 
traversed. 

Claim 9 includes limitations substantially similar to the limitations discussed in 
sections I and II above. Accordingly, the arguments of sections I and II are hereby 
repeated for claim 9. 

For at least the reasons established above in sections I and II, Applicants 
respectfully submit that independent claim 9 is not taught or suggested by Upton in view 
of Beck, and neither O'Donnell nor Bhat cure the deficiencies of Upton and Beck. 

Claims Depending from Claim 9: 

Dependent claims 11-12 and 24 were rejected under 35 USC § 103(a) as being 
unpatentable over Upton in view of Beck and further in view of O'Donnell. 

Dependent claim 15 was rejected under 35 USC § 103(a) as being unpatentable 
over Upton in view of Beck and further in view of O'Donnell and Laferriere. 

Dependent claims 26 and 27 were rejected under 35 USC 103(a) as being 
unpatentable over Upton in view of Beck and further in view of O'Donnell and Favazza. 

Dependent claims 13-14, and 16-25 were rejected under 35 USC 103(a) as 
being unpatentable over Upton in view of Beck and further in view of Bhat. 
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Dependent claims 11-27 depend directly or indirectly from independent claim 9 
and incorporate all of the limitations thereof. Accordingly, for at least the reasons 
established in sections I and II above, Applicants respectfully submit that claims 11-27 
are not taught or suggested by Upton in view of Beck, and O'Donnell, Laferriere, 
Favazza and Bhat, alone or in combination, do not cure the deficiencies of Upton and 
Beck. Therefore, Applicants respectfully request allowance of these claims. 

Claim 28: 

Claim 28 was rejected under 35 USC § 103(a) as being unpatentable over Upton 
in view of Beck and further in view of O'Donnell. This rejection is respectfully traversed. 

Claim 28 was also rejected under 35 USC § 103(a) as being unpatentable over 
Upton in view of Beck and further in view of Bhat. This rejection is also respectfully 
traversed. 

Claim 28 includes limitations substantially similar to the limitations discussed in 
sections I and II above. Accordingly, the arguments of sections I and II are hereby 
repeated for claim 28. 

For at least the reasons established above in sections I and II, Applicants 
respectfully submit that independent claim 28 is not taught or suggested by Upton in 
view of Beck, and O'Donnell and Bhat, alone or in combination, do not cure the 
deficiencies of Upton and Beck. Therefore, Applicants respectfully request allowance 
of this claim. 
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Claims Depending from Claim 28: 

Claims 28 and 29 were rejected under 35 USC § 103(a) as being unpatentable 
over Upton in view of Beck and further in view of O'Donnell. Claims 28-33 were also 
rejected under 35 USC § 103(a) as being unpatentable over Upton in view of Beck and 
further in view of Bhat. Dependent claims 29-33 depend directly or indirectly from 
independent claim 28 and incorporate all of the limitations thereof. Accordingly, for at 
least the reasons established in sections I and II above, Applicants respectfully submit 
that claims 29-33 are not taught or suggested by Upton in view of Beck, and O'Donnell 
and Bhat, alone or in combination, do not cure the deficiencies of Upton and Beck. 
Therefore, Applicants respectfully request allowance of these claims. 
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Conclusion 



Applicants respectfully submit that the pending application is in condition for 
allowance for the reasons stated above. If the Examiner has any questions or 
comments or otherwise feels it would be helpful in expediting the application, the 
Examiner is encouraged to telephone the undersigned at (972) 731-2288. 

The Commissioner is hereby authorized to charge payment of any further fees 
associated with any of the foregoing papers submitted herewith, or to credit any 
overpayment thereof, to Deposit Account No. 21-0765, Sprint. 



Respectfully submitted, 



Date: June 9, 2008 



/Michael W. Piper/ 



Michael W. Piper 
Reg. No. 39,800 



Conley Rose, P.C. 

5601 Granite Parkway, Suite 750 

Piano, Texas 75024 

(972) 731-2288 

(972) 731-2289 (facsimile) 



ATTORNEY FOR APPLICANTS 
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